Re: CSS dangers with XSS?

From: dork@gmx.at
Date: Tue Mar 14 2006 - 21:09:58 EST


hi!

if you just mean further requests that could be triggered, there would be the
IE specific
   filter:... src='http://example.com/...'
but if you mean anything like css triggered javascript, afaik
   behavior:url(javascript.htc)
is the most dangerous, but uses url() and is restricted, especially under
newer ie/xp sp2 combinations (and does only work under internet explorer
anyway)

do not forget about quotes in general to avoid event handler registration. if
you display custom input within attributes (such as href), you should
consider opt-in instead of opt-out filtering. there are always new browser
features or possibilities like
   <a href="http://example.com%2F redir=test.com">.
pedantic rule of thumb: if there is an rfc or any other standard limiting
allowed chars to a specific encoding, a given range of possible values or a
specific type, you generally do not have to allow anything different. an
exception could be some vendor specific *extension*. if you use a provided
string in an output, that normally would need a special encoding, treat it
like this, regardless of the kind of usage you planned.

hth, if i didn't get your question wrong.

On Monday 13 March 2006 22:04, offset wrote:
> Hello fellow pen-testers.
>
> Trying to increase my test data for XSS.
>
> Anyone know of any other CSS dangerous tags other than url() that could be
> used to bypass XSS filters that filter out the typical <>%{}\[] etc?
>
> Thanks in advance,
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:41 EDT